Hello Michael, some thoughts causing two quested points >>> +# Convert seconds to days >>> +NEXTUPDATE="$((EXPIRINGDATEINSEC / DAYINSEC))"; >>> +# Update of the CRL in days before CRL expiring date >>> +UPDATE="2"; >> >> I think we should update every 14 days if the usual expiry time is 30. >> Therefore we will never get too close by accident. > > So i would need then an frcontab entry and another location for the script since the fcron directories provides only daily, weekly and monthly. > Another possibility might be a weekly check so we can use the fcron directories ? In case machines are off while the script performs his weekly check (no 24/7er) the next check will be made one/two week(s) later which might be a long time if you do not know where the problem is. I would do make there possibly a daily check and would also set the UPDATE to a week or 5 days instead of the current 2 before expiration date so more days can be grabbed even the check should be a fast one. >> Should we catch any errors of the openssl command? > > OK i would then use may a '2>&1 | logger -i -t openvpn' instead so we get an OpenSSL command output in messages if the CRL has been renewed. Have here two possibilities. 1) in error case: Feb 3 17:56:03 ipfire-server crl_updater[18986]: /etc/fcron.daily/ovpn_crl_updater.sh: line 56: /usr/bin/opensl: No such file or directory if successful: Feb 3 17:56:41 ipfire-server crl_updater[18998]: Using configuration from /var/ipfire/ovpn/openssl/ovpn.cnf which equals to the OpenSSL command output ( 2>&1 | logger ). or 2) in error case: Feb 2 19:02:34 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - CRL update failed if successful: Feb 2 19:03:19 ipfire-server openvpn: /etc/fcron.daily/ovpn_crl_updater.sh - CRL has been updated if else query echo´s a defined message so search string like failed or updated can also be logged ? Otherwise all other quested changes has been made and are ready so far, might be nice to push the remaining CGI changes soon i think :-) . Greetings, Erik